C# Create an Auth Token from Guid combined with 40Char Hex string (UUID)

Question

I am writing an asp.net MVC app that drives an IPhone application.

I want the Iphone to send me its UUID looks like this:

2b6f0cc904d137be2e1730235f5664094b831186

On the server I want to generate a Guid:

466853EB-157D-4795-B4D4-32658D85A0E0

On both the Iphone and the Server I need a simple aglorithm to combine these 2 values into an Auth token that can be passed around. Both the IPhone and the ASP.NET MVC app need to be able to compute the value over and over based on the UUID and the GUID.

So this needs to be a simple algorithm with no libraries from the .net framework.

Full Solution Here

        public void Test()
        {    
            var DeviceId = Guid.NewGuid();
            var newId = "2b6f0cc904d137be2e1730235f5664094b831186";

            var guidBytes = DeviceId.ToByteArray();
            var iphoneBytes = StringToByteArray(newId);
            byte[] xor = new byte[guidBytes.Length];

            for (int i=0;i<guidBytes.Length;i++)
            {
                xor[i] = (byte) (guidBytes[i] ^ iphoneBytes[i]);
            }

            var result = ByteArrayToString(xor);               
        }

        public static byte[] StringToByteArray(String hex)
        {
            int NumberChars = hex.Length;
            byte[] bytes = new byte[NumberChars / 2];
            for (int i = 0; i < NumberChars; i += 2)
                bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
            return bytes;
        }

        public static string ByteArrayToString(byte[] ba)
        {
            StringBuilder hex = new StringBuilder(ba.Length * 2);
            foreach (byte b in ba)
                hex.AppendFormat("{0:x2}", b);
            return hex.ToString();
        }

Answer 1

Well, the iPhone ID looks like a hex string, so converting both to binary and XORing the bytes ought to do it. You could store the result as an array, hex string, or base-64 encoded string as appropriate.

The way you refer to this as an "auth token" is a little concerning, however. Session ids must be unpredictable. You might consider generating an array of cryptographically random data on the server instead of a GUID.

Edit

// Convert the server GUID to a byte array.
byte[] guidBytes = severGuid.ToByteArray();

// Convert the iPhone device ID to an array
byte[] idBytes = StringToByteArray(iPhoneId);

Sadly, it seems .NET doesn't have a built-in method to convert to/from hex strings, but this subject has been covered before: Convert byte array to hex string and vice versa

// Once you've XORed the bytes, conver the result to a string.
string outputString = ByteArrayToString(outputBytes);

Answer 2

Rather than XORing, which loses information, you could just concatenate these hex digits.

Answer 3

Why do you even need the GUID? The phone ID is unique, the GUID seems to add no value.

Answer 4

I thought you can use two way algorithm. It mean the algorithm can be encode and decode like Base64, SHA256, AES

Answer 5

Just as a side note, all the "auth token" mechanisms I've worked with (at least) concatenated a constant value (a "secret") with the current time, then hashed them together then sent the hash and the date. The server then reconstructed the hash from the received date and known "secret" and then compared to the received hash (signature). My point here was "concatenated with date" - this allows the resulting signature to be different every time which in theory should be more secure.